Attacks/Breaches
1/9/2013
11:07 AM
Connect Directly
RSS
E-Mail
50%
50%

U.S. Bank Hack Attack Techniques Identified

Security researchers detail how poorly secured, hosted servers helped launch botnet-based attacks; U.S. government continues to blame Iran.

Self-proclaimed Muslim hacktivists that have been disrupting U.S. banks' websites since September are compromising poorly secured, hosted servers to sustain their large-scale attacks.

That warning comes by way of security firm Incapsula, which said it recently discovered that "a small and seemingly harmless general interest U.K. website" that it was monitoring had been compromised and made part of a botnet that's been used, in part, to attack U.S. banks' websites.

After Incapsula was hired to monitor the site earlier this month, its security team soon began seeing a suspicious amount of "requests with encoded PHP code payload" directed at the site, said Ronen Atias, a security analyst at Incapsula, in a blog post. After investigating, Incapsula found that the website had been previously compromised, and that the traffic was being directed from a botnet command-and-control (C&C) server to a backdoor installed by attackers on the website server.

"The backdoor was instructed to launch HTTP and UDP flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank," said Atias. How had attackers managed to compromise the site, which Incapsula declined to name? According to Atias, the site was access-controlled using a username and password that were both set to "admin."

The attack requests spotted by Incapsula occurred after a New Year's Day post from the Izz ad-Din al-Qassam Cyber Fighters Muslim hacktivist group, promising to continue the months-long campaign of U.S. financial website disruptions. "Rulers and officials of American banks must expect our massive attacks! From now on, none of the U.S. banks will be safe from our attacks," read the post.

Since September, the distributed denial of service (DDoS) attacks launched by the hacktivists -- under the banner of "Operation Ababil" -- have disrupted the websites of numerous financial institutions, including Bank of America, BB&T, Capital One, HSBC, JPMorgan Chase, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. The attackers say the attacks are in retaliation for YouTube continuing to host Innocence of Muslims, a film that mocks the founder of Islam.

[ Bank hackers were big news last year, but they had company. See 9 Ways Hacktivists Shocked The World In 2012. ]

Despite the attackers generally previewing attack times and targets in advance, the sheer scale of the DDoS attacks has overwhelmed banks' websites. While the typical small and midsize business (SMB) website might handle 1 Gbps, and an enterprise or government data center support 10 Gbps, according to Prolexic Technologies, the attackers have achieved massive, sustained packet floods of 70 Gbps.

But many U.S. government officials and information security experts say that they continue to believe that the attacks have been launched not by hacktivists, but the Iranian government, likely as retaliation for economic sanctions, as well as the United States' own cyber attacks against Iran.

"There is no doubt within the U.S. government that Iran is behind these attacks," James A. Lewis, a former official at the State and Commerce Departments who's a cybersecurity expert at the Center for Strategic and International Studies in Washington, told The New York Times. In large part, that's due to the apparent skill and sophistication behind the attacks, as well as the fact that they're designed not for financial gain, which is the typical modus operandi of criminals, but rather disruption, which instead suggests the work of a nation state.

Through Pastebin pronouncements and media interviews, however, the Izz ad-Din al-Qassam Cyber Fighters have long maintained that their group is not sponsored by any government, and that its members hail from multiple countries.

Regardless, one example of the group's technological sophistication is the apparent ease with which it's overwhelmed the websites of some of the world's largest financial institutions -- and according to Incapsula, the attack code it discovered was designed for just that purpose. "The PHP [DDoS] code was designed to multiply itself, so it could take advantage of the full capacity available on the server," said Atias. "Since this is a server on [a] hoster's backbone, it was potentially capable of producing much more traffic volume than a regular 'old school' botnet zombie."

The botnet's controllers also cycled the DDoS attacks for maximum effectiveness. "As we continued to monitor the incoming [DDoS] commands, we saw that the attacks were precisely timed, limited for periods that varied from 7 minutes to an hour," said Atias. "The botnet C&C was commanding it to work in 'shifts,' maximizing its efficiency and ordering it to renew the attack just as the target would start to recover. During some of these shifts the backdoor was instructed to change target and attack unrelated commercial and e-commerce sites. This all led us to believe that we were monitoring the activities of a botnet for hire."

Expect the attacks against bank websites to continue. Indeed, the hacktivists promised Tuesday to continue their campaign for at least 56 more weeks, or else until YouTube had removed the offending film. "We have repeatedly stated that removal of the offensive video, Innocence Of Muslims, from YouTube is the simplest solution to stop the cyber-attacks. But ... decision-makers in America have adopted the toughest, most expensive and least effective method," according to a Pastebin post uploaded Tuesday by the hacktivists.

In September, the Obama administration did ask Google to review its rules on hate speech and banning YouTube videos. Google officials responded that the video criticized the religion of Islam, but not Muslim people, reported The New York Times. As a result, Google said that the video would remain online, except in India and Indonesia, where it had violated local laws.

As of Tuesday morning, Sitedown website users were reporting higher than normal levels of disruption at the websites of Bank of America, Capital One, Citibank and Fifth Third banks.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.